Administration Console Online Help

This page configures the SAML 2.0 per server service provider
properties

If you are configuring SAML 2.0 Service Provider services for web
single sign-on, after you complete the configuration settings on this
page, return to the SAML 2.0 General page and click Publish Meta
Data.

Specifies whether the Identity Provider must authenticate users
directly and not use a previous security context. The default is
false.

Note the following:

Setting ForceAuthn to true -- that is,
enabling Force Authentication -- has no effect in WebLogic Server.
SAML logout is not supported in WebLogic Server, so even if the
user is already authenticated at the Identity Provider site and
ForceAuthn is set to true, the user is
not forced to authenticate again at the Identity Provider site.

Setting both ForceAuthn and IsPassive
to true -- that is, Force Authentication and Passive
are enabled -- is an invalid configuration that causes WebLogic
server to generate an exception and also causes the single sign-on
session to fail.

Determines whether the Identity Provider and the user must not
take control of the user interface from the requester and interact
with the user in a noticeable fashion. The default setting is
false.

The WebLogic Server SAML 2.0 services generate an exception if
Passive (IsPassive) is enabled and the end user is not
already authenticated at the Identity Provider site. In this
situation, web single single-on fails.

The maximum timeout (in seconds) of <AuthnRequest>
documents stored in the local cache.

This cache stores documents issued by the local Service provider
that are awaiting response from a partner Identity Provider.
Documents that reach this maximum timeout duration are expired from
the local cache even if no response is received from the Identity
Provider. If a reponse is subsequently returned by the Identity
Provider, the cache behaves as if the <AuthnRequest> had
never been generated.